How to Verify ACLs

The Verify operation determines if the ACLs currently in the active configuration on your devices are the same as the ones that are defined in the ACL Manager database. You can verify the ACLs on all the devices in the ACL Manager database or only on selected devices or device groups.

Verifying ACLs

Use the following steps to perform the Verify operation.

  1. Select the device or device group in the Console left-panel tree.
  2. Click the Verify button in the right-panel ACL Manager tab.
  3. If the Verify operation detects a mismatch between ACLs, the ACL Verification Results window opens where you can view the differences between the selected device's active configuration and the model in ACL Manager. The top panel lists the interfaces where there are differences between the ACLs. When an interface is selected from the top list, the lower-right panel shows the ACLs applied to the interface in the device (Device ACL) and the lower-left panel shows the ACLs for the interface that are stored in the ACL Manager database (Model ACL). Differences between the Device ACL and Model ACL are highlighted by a red exclamation mark .

Resolving Differences

If there are differences between the ACLs currently in the active configuration and the ACLs modeled in ACL Manager, use the following steps to help resolve them. Most differences can be easily resolved by choosing between the ACL in the device and the ACL in ACL Manager and then enforcing the right one on the device. But sometimes when there have been many changes, either to the ACLs in the device or to the ACLs in ACL Manager, resolving the differences may require a greater effort. To keep the process of resolving differences manageable, it is strongly recommended that you Verify ACLs frequently and make ACL Manager your primary tool for managing ACLs.

  1. In the top panel of the ACL Verification Results Window select a device from the drop-down list and an interface from the table. (Only interfaces with differences are listed.) The lower-right panel shows the ACLs applied to the interface in the device (Device ACL) and the lower-left panel shows the ACLs for the interface that are stored in the ACL Manager database (Model ACL). Differences between the Device ACL and Model ACL are highlighted by a red exclamation mark .
  2. Examine the differences:
    • If the rules in the Device ACL table are the ones that should be enforced for the selected target, then you must import the device ACL into the Imported ACLs folder in the ACL Editor. You can use the Verify Devices in List button to refresh the data in the Verification Results Window.
    • If the rules in the Model ACL table are the ones that should be enforced for the selected target, keep the Model ACL, as is. Do not import the Device ACL.
  3. When you've resolved all the differences for all the targets on a particular device, Enforce the ACLs for that device.
    1. Return to the ACL Manager tab and select the devices where you've just resolved the ACL differences in the Console left-panel tree.
    2. Click the Enforce button in the ACL Manager tab .
  4. Back in the ACL Verification Results Window, click Verify Devices in List.
  5. Repeat Steps 1 through 4 until you have resolved all of the differences. If you have differences that are difficult to resolve, review the following suggestions.
    • Preserve what you have by saving your current ACL Manager database. You can now safely make changes to ACLs without concern about regression.
    • Examine the ACL in ACL Manager. Use the ACL Packet Evaluation Tool to test packets against the ACL and assess the impact of any changes before you Apply and Enforce the ACL in the device.
    • Import the ACL from the device. Use the ACL Packet Evaluation Tool to test packets against the ACL and assess the impact of any changes before you Apply and Enforce the ACL to the device.
    • If you decide to use the ACL in ACL Manager instead of the imported ACL, you must apply the Model ACL to the target before enforcing ACLs on the device.
    During the verification process, if you edit or delete rules in an ACL, use the Verify Devices in List button to update the Verification Results Window.
  6. When you've resolved all the differences for all your devices, the Verify Results window is closed and the message " No discrepancies were found during verify" appears on the Status bar.

Related Information

For information on related windows:

For information on related tasks: